用WebService的安全问题[获取]的要求？ [英] Security issue with WebService [Get] Requests?

问题描述

的阅读著名的（只）<一后href=\"http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx\"相对=nofollow>有关试图解释文章，为什么 asmxs 应该NOTallow获取请求
所以我们不应该使用： [ScriptMethod（UseHttpGet = TRUE）] ，我还是我有一个问题：的

After reading the famous (and only) article about trying to explain why asmxs should NOTallow Get requests so we shouldn't use : [ScriptMethod(UseHttpGet = true)] , I still I have a question :

为什么？

Web服务，正如它的名字是一种服务，他并不想关心，如果它是GET或POST：

Web service , as its name is a service , he doesn't suppose to care if it's GET or POST :

即使一个人做一个CSRF：就像他的恶意站点嵌入：

Even if a person do a CSRF : like embedding in his malicious site :

<script type="text/javascript" src="http://contoso.com/StockService/Stock.asmx/GetQuotes?symbol=msft" /> 

等什么呢？

通过ASMX POV - 它只是一个普通的请求

Via asmx POV - it is just a normal request.

可有人请与现货的例子，我的问题吗？

Can someone please spot for me the problem with example ?

有新的浏览器解决了很多问题。
这链接显示应该在新的测试等方法浏览器。

there are many problems solved with new browsers. this link shows some other methods which should be tested in new browsers.

推荐答案

JSON劫持是短暂的这篇文章。

JSON hijacking is briefly explained in this article.

让我们假设你有一个返回信用卡号码的列表，以当前已验证用户的Web服务：

Let's suppose that you have a web service that returns a list of credit card numbers to the currently authenticated user:

[{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},
 {"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},
 {"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]

下面是如何进行攻击：

1. 获得认证的用户访问恶意网页。

1. Get an authenticated user to visit a malicious page.

恶意页面会尝试从用户登录到应用程序访问敏感数据。这可以通过在HTML页面中嵌入的脚本标签来完成，因为同源策略并不适用于脚本标签。 ＆LT;脚本SRC =HTTP：//＆LT; JSON网站＆GT; /json_server.php＆GT;＆LT; / SCRIPT＆GT; 。该浏览器将GET请求 json_server.php 和用户的任何身份验证Cookie会与请求一起发送。

The malicious page will try and access sensitive data from the application that the user is logged into. This can be done by embedding a script tag in an HTML page since the same-origin policy does not apply to script tags. <script src="http://<json site>/json_server.php"></script>. The browser will make a GET request to json_server.php and any authentication cookies of the user will be sent along with the request.

此时，而恶意网站已执行的脚本它不访问任何敏感数据。获得对数据的访问可以通过使用对象原型设定器来实现。在下面的对象的原型属性code被绑定到正在取得设定ccnum属性的尝试时定义的函数。

At this point while the malicious site has executed the script it does not have access to any sensitive data. Getting access to the data can be achieved by using an object prototype setter. In the code below an object prototypes property is being bound to the defined function when an attempt is being made to set the "ccnum" property.

Object.prototype.__defineSetter__('ccnum',function(obj) {
    secrets = secrets.concat(" ", obj); 

});

在这一点上的恶意网站已经成功劫持 json_server.php 返回的敏感财务数据（ ccnum ）

At this point the malicious site has successfully hijacked the sensitive financial data (ccnum) returned by json_server.php.

此外，还有其他形式的JSON劫持技术不依赖于在 __ __ defineSetter 功能的浏览器的支持。这只是其中一个进行攻击的方式，但也有在描述了许多其他这篇文章如 Array构造重挫， UTF-7 ， ES5功能。

There are also other forms of JSON hijacking techniques which do not rely on the browser support for the __defineSetter__ function. That's just one way to conduct the attack but there are many others as described in this article such as Array constructor clobbering, UTF-7, ES5 functionality.

由于这个原因，GET返回JSON请求在ASP.NET默认情况下禁用。

For this reason, GET requests returning JSON are disabled by default in ASP.NET.

这篇关于用WebService的安全问题[获取]的要求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！